* New upstream release (http://www.openssh.org/txt/release-5.9).

  - Introduce sandboxing of the pre-auth privsep child using an optional
    sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
    mandatory restrictions on the syscalls the privsep child can perform.
  - Add new SHA256-based HMAC transport integrity modes from
    http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
  - The pre-authentication sshd(8) privilege separation slave process now
    logs via a socket shared with the master process, avoiding the need to
    maintain /dev/log inside the chroot (closes: #75043, #429243,
    #599240).
  - ssh(1) now warns when a server refuses X11 forwarding (closes:
    #504757).
  - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
    separated by whitespace (closes: #76312).  The authorized_keys2
    fallback is deprecated but documented (closes: #560156).
  - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
    ToS/DSCP (closes: #498297).
  - ssh-add(1) now accepts keys piped from standard input.  E.g. "ssh-add
    - < /path/to/key" (closes: #229124).
  - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
  - Say "required" rather than "recommended" in unprotected-private-key
    warning (LP: #663455).

1 files changed, 4 insertions, 19 deletions

diff --git a/auth.c b/auth.c
index 4f9b75334..3e8fe57b2 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.91 2010/11/29 23:45:51 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.94 2011/05/23 03:33:38 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -332,7 +332,7 @@ auth_root_allowed(char *method)
  *
  * This returns a buffer allocated by xmalloc.
  */
-static char *
+char *
 expand_authorized_keys(const char *filename, struct passwd *pw)
 {
         char *file, ret[MAXPATHLEN];
@@ -356,18 +356,6 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
 }
 
 char *
-authorized_keys_file(struct passwd *pw)
-{
-        return expand_authorized_keys(options.authorized_keys_file, pw);
-}
-
-char *
-authorized_keys_file2(struct passwd *pw)
-{
-        return expand_authorized_keys(options.authorized_keys_file2, pw);
-}
-
-char *
 authorized_principals_file(struct passwd *pw)
 {
         if (options.authorized_principals_file == NULL)
@@ -467,7 +455,6 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
                 }
                 strlcpy(buf, cp, sizeof(buf));
 
-                debug3("secure_filename: checking '%s'", buf);
                 if (stat(buf, &st) < 0 ||
                     !secure_permissions(&st, uid)) {
                         snprintf(err, errlen,
@@ -476,11 +463,9 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
                 }
 
                 /* If are past the homedir then we can stop */
-                if (comparehome && strcmp(homedir, buf) == 0) {
-                        debug3("secure_filename: terminating check at '%s'",
-                            buf);
+                if (comparehome && strcmp(homedir, buf) == 0)
                         break;
-                }
+
                 /*
                  * dirname should always complete with a "/" path,
                  * but we can be paranoid and check for "." too